The present invention relates to an authentication system, a network line concentrator, an authentication method used therefor, and a program for executing the method and, in particular, to a method of restricting access at an authentication hub when a terminal equipment is connected to a network.
At present, as a method of restricting access at an authentication hub, use is made of an IEEE (Institute of Electrical and Electronic Engineers) 802.1x authentication system illustrated in FIG. 1 and an authentication VLAN (Virtual Local Area Network) system illustrated in FIG. 2.
Referring to FIG. 1, the IEEE 802.1x authentication system will be described. In the IEEE 802.1x authentication system, an authentication hub 32 performs authenticating operation substitutionally for an authentication server 33 in response to an access to the authentication hub 32 from a terminal equipment 31 in the following manner. Before authentication, all ordinary frames transmitted from the terminal equipment 31 are discarded at the authentication hub 32 and the authentication hub 32 receives an authentication frame alone. That is, the authentication hub 32 carries out communication restriction. The authentication hub 32 extracts sender information (including a sender address, a user name, a password, and so on) from the authentication frame and transmits an authentication acknowledgment frame to the authentication server 33. In this manner, the authentication hub 32 substitutionally performs the authenticating operation.
If the authentication server 33 acknowledges authentication for the authentication acknowledgment frame, the authentication server 33 sends, to the authentication hub 32, a permission setting frame for setting communication permission with respect to a frame from a port connected to the terminal equipment 31 or a frame having a MAC (Media Access Control) address specific to the terminal equipment 31 as a sender address.
In response to the permission setting frame, the authentication hub 32 cancels the communication restriction. Thereafter, the terminal equipment 31 is connectable to a network 300 through the authentication hub 32, a switching hub 34, and a router 35.
Referring to FIG. 2, the authentication VLAN system will be described. In the authentication VLAN system, a terminal equipment 41 is allowed to participate in a pre-authentication network 401 called a default LAN and having a limited connection range (for example, see Japanese Unexamined Patent Application Publication (JP-A) No. 2004-64204).
The terminal equipment 41 requests a DHCP (Dynamic Host Configuration Protocol) server 46 connectable from the pre-authentication network 401 to dispense a temporary IP (Internet Protocol) address and sends an authentication request to an authentication server 43 with the provisional IP address.
If the authentication server 43 acknowledges authentication for the authentication request, the authentication server 43 indicates, to the DHCP server 46 and an authentication hub 42, a VLAN (post-authentication network 402) which the terminal equipment 41 should belong to.
The DHCP server 46 releases the provisional IP address assigned to the terminal equipment 41 and informs the terminal equipment 41 of an IP address for the post-authentication network 402. The authentication hub 42 permits the terminal equipment 41 to establish connection to the post-authentication network 402 indicated by the authentication server 43. Thereafter, the terminal equipment 41 is connectable to a network 400 through the authentication hub 42, a switching hub 44, and a router 45.
However, the above-mentioned conventional method of restricting access at the authentication hub is disadvantageous in the following respects.
In case of the IEEE 802.1x authentication system, a protocol specific to the authentication system is used so that the authentication hub must be provided with a special program for authentication of the terminal equipment.
Further, in case of the IEEE 802.1x authentication system, the authentication hub relays an authentication process between the terminal equipment and the authentication server. This process is executed as a software operation. Therefore, the authentication hub is required to have a high software processability.
Further, in case of the IEEE 802.1x authentication system, an unauthenticated terminal equipment can not be connected to the network. Therefore, it is impossible to provide limited functions to the unauthenticated terminal equipment.
On the other hand, in the authentication VLAN system, switching from the pre-authentication network to the post-authentication network permitted by authentication occurs after completion of authentication. At this time, the terminal equipment must change network setting. Therefore, a long time will be required until communication can be actually carried out after completion of authentication. Sometimes, restriction is imposed upon the type of an OS (Operating System) which can be used at the terminal equipment.
In case of the authentication VLAN system, a plurality of devices must be cooperated for an authenticating operation. As a result, those devices usable for the system are limited. For example, the DHCP server must lease the IP address according to the request from the authentication server. Therefore, a special-purpose DHCP server is required or, alternatively, the DHCP server must be provided with a function addition program.
Further, in case of the authentication VLAN system, the authentication hub is required to have advanced functions such as VLAN switching and trunking of a plurality of VLANS. Therefore, the authentication hub itself becomes an expensive highly-functional equipment.